'Petya': Another ransomware that locks your complete PC

The new ransomware which has been dubbed Petya (after the notification it shows to the user) is the first of its kind to encrypt entire hard drives.

The researchers at the G DATA SecurityLabs discovered a set of files which is associated with this new type of ransomware. Ransomware families such as Locky, CryptoWall or TeslaCrypt usually encrypt individual files. Petya targets the entire hard drive instead of individual files or file types.



This malware campaign is obviously aiming at companies. In an email application which is sent to the HR department, a Dropbox download link is referenced where allegedly a ‘job application portfolio’ can be downloaded.
More details:Ransomware Petya encrypts hard drives - SECURITY BLOG
 
  • Like
Reactions: Rishi, upnorth, silversurfer and 5 others
gRX91omF.jpg


Source : Mikko Hypponen on Twitter
 
  • Like
Reactions: jamescv7, Overlord, Rishi and 2 others
I think this one is worth sharing here too, find the Original Post in Petya MBR Encryption Ransomware Test by @cruelsister, post #20 if I counted correctly.

Fabian Wosar said:
Dr Web blocks it just fine using default settings (which is to block direct disk access for all processes) both in Katana as well as their normal AV/IS product. The malware will just sit there and consume excessive amounts of CPU because it just tries to infect the MBR over and over again. EAM blocks it as well for pretty much the same reason.

In general the threat already has kind of an expiration date. If you use any modern version of Windows (8, 8.1, 10) and if you are using UEFI/EFI to boot (which you really, really should), you are automatically protected from it, because the code in the MBR never gets to execute. The Windows binary itself doesn't do any actual encryption. It just prepares the malicious boot loader and writes it to disk. That's it. The actual encryption of the MFT is performed by the boot loader. I posted some technical information here:

KernelMode.info • View topic - Petya malware

Since the actual file data isn't touched by the malware at all and only the MFT is encrypted, all tools that allow you to restore files without the usage of the MFT will work just fine. You will probably lose directory names and structure, but if you shelve out the $80 for
GetDataBack for example or any other zero knowledge file recovery tool, you will get your files back just fine, with the exception of small files that may be stored within the MFT itself and may be encrypted.
Click to expand...
 
  • Like
Reactions: Overlord, Rishi, upnorth and 1 other person
Tornado said:
If you click no on UAC it can't do anything, that's proof UAC is needed!
Click to expand...
User need to know when to click Yes or No, most users will click Yes because they already decided to open file and UAC for them is like are you sure.
 
  • Like
Reactions: Davidov
At least UAC knows it which means Petya did not create a bypass action to escape from approval so for a user must need an active protection like WAR to stop the execution immediately.
 
You must log in or register to reply here.

You may also like...